Researchers have found financial and technological links between the Karakurt cybercriminal group and two high-profile ransomware actors that signal a shift in business operations and an expansion of opportunities for the threat actors to target victims, they said.
Karakurt—a financially motivated threat actor first identified last summer—now appears to be entangled with both the Conti and Diavol groups, researchers from Tetra Defense, an Artic Wolf company, and Chainalysis revealed in a report published Friday.
Researchers used forensics-based threat intel and blockchain analysis in its discovery that the two ransomware groups—which were believed to be operating independently—have now become part of the evolving Karakurt web, they said. The ties between Karakurt and Conti especially appear to be strong, with the former working off the latter’s resources, they said.
“Whether Karakurt is an elaborate side hustle by Conti and Diavol operatives or whether this is an enterprise sanctioned by the overall organization remains to be seen,” researchers said. “What we can say is this connection perhaps explains why Karakurt is surviving and thriving despite some of its exfiltration-only competitors dying out.”
Widening the Web
The findings are significant for a number of reasons. One is that the links appear to show Karakurt embracing ransomware, which did not appear to be the case when it was first identified last year.
The group—which takes its name from a venomous spider commonly found in eastern Europe and Siberia—initially demonstrated sole interest in data exfiltration and subsequent extortion rather than ransomware, which allowed it to move quickly. In fact, Karakurt already had amassed 40 victims, 95 percent of which were in North America and the rest in Europe, in its first few months of operation.
With links to ransomware groups, Karakurt clearly is expanding its horizons, researchers said. However, the move appears to be benefitting Conti just as much, representing a shift in that group’s tactics as well, researchers said.
Conti previously operated on a “standard pledge” to victims that if they pay a ransom to the group, they will not be targeted in future attacks, according to the report. However, Tetra Defense initially discovered the link between Karakurt and Conti at a client who claimed to have been hit with another extortion attempt after already falling victim to Conti and paying the ransom demand.
That second attempt was from an unknown group that stole data but did not use encryption to do so—the modus operandi of Karakurt, researchers found. Moreover, Karakurt does not seem to delete the data it steals, which also seems to renege on Conti’s promise to victims, they said.
Coincidentally, that particular client incident occurred during a tough time for Conti, who was grappling with disgruntled affiliates who wanted to be paid more, one of whom turned on the group by leaking Conti’s playbook and training materials. Researchers surmised that linking up would have been a mutually-beneficial scenario for both cybercriminal groups, and found financial, technological and other evidence of the connection.
Proof of Connections
On the technological side, researchers observed similarities between Karakurt and Conti by creating a dataset of Karakurt intrusions, of which they’ve already observed more than a dozen, they said.
“While Karakurt attacks can vary with respect to tools, some notable overlaps began to emerge between some Karakurt intrusions and the earlier suspected Conti-related re-extortion,” researchers wrote.
These included the use of Fortinet SSL VPNs for the initial point of intrusion; the use of the same tools for exfiltration; “a unique adversary choice” to create and leave behind a file listing of exfiltrated data named “file-tree.txt” in the victim’s environment; and the repeated use of the same attacker hostname when remotely accessing victims’ networks, they wrote.
Tetra researchers also worked with Chainalysis and its blockchain analysis team, to analyze cryptocurrency transactions carried out by Conti and Karakurt, which revealed financial connections between the two, they said.
“Blockchain analysis provided some of the earliest indication of Karakurt’s ties to Conti ransomware, as the relevant transactions pre-date the discovery of the similarities in Karakurt and Conti’s software and attack strategy,” they said.
Specifically, Chainalysis identified dozens of cryptocurrency addresses belonging to Karakurt, scattered across multiple wallets with victim payments ranging from $45,000 to $1 million worth of cryptocurrency.
In their analysis, researchers quickly observed Karakurt wallets sending significant amounts of cryptocurrency to Conti wallets—in one instance, for example, Karakurt’s extortion wallet moved 11.36 Bitcoin, or about $472,000 at the time of transfer, to a Conti wallet, they said.
Chainalysis also discovered shared wallet hosting between both Conti and Karakurt victim payment addresses, leaving “virtually no doubt that Conti and Karakurt are deployed by the same individual or group,” researchers noted.
Link to Diavol
Tetra researchers also observed the use of shared tools and infrastructure between Karakurt and Diavol ransomware group, with also has been associated with the dangerous and widely used trojan TrickBot.
Specifically, leaks from Jabber chats between February and March of this year confirmed that Karakurt and Diavol operators were sharing attacker infrastructure during the same period of time, researchers said.
Further, blockchain analysis also confirmed Diavol’s connection to Karakurt and Conti, showing that Diavol and Karakurt extortion addresses are being hosted by the Conti wallet, they said.
“Again, this common address ownership confirms with near total certainty that Diavol is deployed by the same actors behind Conti and Karakurt,” researchers wrote.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.